Files
claudetools/clients/cascades-tucson/PROJECT_STATE.md
Howard Enos 5c77b88654 sync: auto-sync from HOWARD-HOME at 2026-06-24 11:50:01
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-24 11:50:01
2026-06-24 11:50:29 -07:00

121 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Cascades of Tucson — Project State
> READ THIS before starting work on this client.
> UPDATE THIS when you begin work (claim a lock) and when you finish (release lock + log changes).
> Last updated: 2026-06-24 (Howard — folded 7 open Syncro tickets into the plan; see Pending / Next Up. NOTE: the rich current-state truth lives in `wiki/clients/cascades-tucson.md`, last compiled 2026-06-23 — this file's lower sections predate the Entra/RF/voice work.)
---
## Active Session Locks
(no active locks)
**How to claim a lock:** Add a row before starting work. Remove it when done. Locks older than 2 hours with no update are considered stale.
**Last session paused:** 2026-04-28 ~07:15 PDT — see `session-logs/2026-04-28-howard-ca-reconciliation-blocked-on-sp-role.md` for full resume point. AD-side pilot prep is DONE (`howard.enos` password reset + proxyAddresses set on CS-SERVER). CA reconciliation BLOCKED: `ComputerGuru - Tenant Admin` SP has zero directory role assignments in Cascades, so all Graph CA endpoints 403 despite token carrying `Policy.ReadWrite.ConditionalAccess`. Howard to pick Path A (Graph-side role assignment via existing `RoleManagement.ReadWrite.Directory`) or Path B (portal click as `admin@`) to grant **Conditional Access Administrator** (`b1be1c3e-b65d-4f19-8427-f6fa0d97feb9`) to SP objectId `a5fa89a9-b735-4e10-b664-f042e265d137`. After that lands: add `184.191.143.62/32` to existing `Cascades` Named Location, verify all-users MFA policy state, then Gate A3 (Entra App Reg for ALIS SSO — ALIS App Store still down so install-side is still deferred), Gate A5 (exit staging), Gate A6 (phone enroll), Gate A7 (flip CA On). Pilot target slipped from 2026-04-27 to 2026-04-28.
---
## Current State
**Status:** ACTIVE
**Last Activity:** 2026-04-17 (Howard)
Senior living community. Active project: HIPAA-compliant folder redirection GPO rollout across all departments. Folder redirection pattern validated on one user (Sharon Edwards, Life Enrichment) — Documents and Downloads redirecting to `\\CS-SERVER\homes\<username>\`. Next: second LE machine end-to-end, then Desktop and other folders, then matching GPOs for other departments.
---
## Infrastructure / Access
| Resource | Address | Vault path |
|----------|---------|------------|
| pfSense firewall | 192.168.0.1 | `clients/cascades-tucson/pfsense-firewall.sops.yaml` |
| Synology NAS (cascadesds) | 192.168.0.120:5000 (DSM) | `clients/cascades-tucson/synology-cascadesds.sops.yaml` |
| CS-SERVER (DC + file server) | 192.168.2.254, domain `cascades.local` | `clients/cascades-tucson/cs-server.sops.yaml` |
**Syncro ID:** 20149445
**M365 Tenant ID:** `207fa277-e9d8-4eb7-ada1-1064d2221498` (cascadestucson.com)
**Contact:** Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171
**GuruRMM:**
- Client: Cascades of Tucson (`CASC`, id `42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f`)
- Site: CascadesTucson (`GOLD-MOON-4620`, id `c157c399-82d3-4581-979a-b9fad70f4fef`)
- Enrolled agents: DESKTOP-DLTAGOI (`0ed72c1c-40c7-4bd4-afed-e0bcb198936f`), CS-SERVER (`6766e973-e703-47c1-be56-76950290f87c`)
**Known traps:**
- ProfWiz-migrated users may have poisoned `User Shell Folders` — check/clean before testing redirection (`scripts/hive-cleanup-shellfolders.ps1`)
- GPMC on Server 2019/2022 writes `fdeploy1.ini` incorrectly when adding + modifying in same session — one folder per save, close/reopen between adds
- Explorer sidebar uses KnownFolder GUID form — mirror manually if sidebar doesn't resolve (`scripts/fix-live-shellfolders.ps1`)
- Machines with OneDrive KFM must unlink OneDrive before applying GPO
**GPO backup on CS-SERVER:** `C:\GPO-Backups\pre-fix-20260417-221701\` (backup ID `9c6ff7c9-0942-4cfb-b4a5-936913a3da87`)
---
## Pending / Next Up
**>> CANONICAL EXECUTION PLAN: `docs/REMAINING-WORK-PLAN.md`** (built 2026-06-24 from a live
AD+RMM domain-join diff). It sequences ALL remaining work — workstation domain migration,
users/departments/file-share access, HIPAA caregiver lockdown go-live, M365 relicense, server/RAID,
network tail — and maps every open Syncro ticket to its workstream. Work the migration from THAT doc.
**Open Syncro Tickets (folded into the engagement, 2026-06-24 — Howard review):**
These 7 open Cascades tickets are tracked todos #1#7 and roll up into the workstreams in the plan
above (machine/user deployment into the domain + network/HIPAA lockdown).
| Ticket | Workstream | Summary | Notes |
|--------|-----------|---------|-------|
| #32194 | Workstation deployment | Deploy spare shop machine as temp unit for a new hire | Domain-join + RMM enroll + AD account/OU/SG; target user TBD |
| #32193 | File svc / HIPAA least-priv | Restricted shared drive for Ashley + Meredith (NTFS-scoped) on CS-SERVER | Confirm Ashley's last name; structure + path with Meredith |
| #32230 | File svc / permissions | Grant Karen Rossini ALDOCS access on cascadesds (Synology) | Add to correct perm group; confirm reachability |
| #32254 | Workstation remediation | Chef-PC slow → full Windows reinstall | Back up first; re-join domain + re-enroll RMM |
| #32370 | Peripheral setup | eFax (Karen & Christin) + portable scanner on both | See `docs/servers/fax-whitelabel.md` + 2026-06-02 efax session log |
| #32319 | RF / network | WiFi dead spot Room 343 → relocate a floor-2/4 AP | Ties into active RF optimization; unifi-wifi skill, site `va6iba3v` |
| #32342 | Network | Add a switch in the Copy Room | Confirm uplink/VLAN/PoE; adopt into UniFi if managed |
**Folder Redirection (ongoing):**
- [ ] EncryptData flag on `\\CS-SERVER\homes` share (HIPAA workitem — currently false)
- [ ] Second Life Enrichment machine folder redirection end-to-end
- [ ] Desktop + other folders redirection GPOs
- [ ] Matching GPOs for remaining departments
- [ ] Folder redirection GPO verification across all enrolled machines
**Intune MDM Rollout (started 2026-04-19):**
- [x] Prereq gap check (`reports/2026-04-19-intune-mdm-prereq-gap.md`)
- [x] Create `MDMS@cascadestucson.com` service account - Business Premium, MFA, forwarding to howard@azcomputerguru.com (vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`). Replaced an earlier mdm@ attempt that hit a Managed Play enterprise/consumer Google account collision.
- [x] Managed Google Play enterprise bound (bindStatus=boundAndValidated, owner mdms@)
- [x] Apple MDM Push Cert uploaded (Apple ID mdms@cascadestucson.com, serial 16FA0CAED8EEB74F, expires 2027-04-20). Renewal reminder task #9.
- [x] CSCNet Wi-Fi password vaulted (`clients/cascades-tucson/wifi-cscnet.sops.yaml`)
- [x] Entra group `Cascades - Shared Phones` + Android enrollment profile `CSC - Android Shared Phones` (token MVDVVDMPSHYJAGDAJOCN, expires 2026-06-22, linked to the Entra group). **Converted to dynamic 2026-04-21** with rule `(device.enrollmentProfileName -eq "CSC - Android Shared Phones")` — any phone enrolled via that QR auto-joins within 5-30 min (was the root cause of Phone 1 not receiving any policies: enrolled via correct profile but never added to the static group).
- [x] **B-1 Android compliance policy** `CSC - Android Compliance` (id `27eeaeda-8390-462e-a514-7d2a558f412c`) — Android 14+, 6-digit numericComplex PIN, 1-min inactivity lock, encryption required, block rooted, SafetyNet certified, Intune App Integrity. Assigned to Shared Phones. Patched 2026-04-21 to spec.
- [x] **B-2 Config profiles**`CSC - Android Shared Phones Restrictions` (factoryResetBlocked, no USB, no unknown sources, screenCaptureBlocked, no developer settings, system updates windowed 02:00-06:00 UTC) + `CSC - CSCNet Wi-Fi (WPA2-Personal)`. Both assigned.
- [x] **B-3 Required apps** — Company Portal, Managed Home Screen, Authenticator, Edge, Microsoft Intune, Teams (+ ALIS web app). All 7 required-assigned to Shared Phones. Company Portal assignment gap closed 2026-04-21.
- [x] **B-4 ALIS web app** (id `fcbf803d-ceb7-4f4e-93ed-2be1b91a05f3`) — https://cascadestucson.alisonline.com/Login, required-assigned.
- [x] **B-5 MSDM app config**`CSC - Microsoft Shared Device Mode (Authenticator)` + `CSC - Microsoft Shared Device Mode (Teams)` (id `3c6a354c-1616-434b-ac81-4dad7795e67b`, created 2026-04-21). Both `shared_device_mode_enabled=true`, assigned to Shared Phones.
- [x] **B-6 Test enrollment** — Samsung SM-A146U (Galaxy A15 5G) serial R9TWB0WM55R, Android 15, enrolled 2026-04-20 18:17Z, showing compliant and syncing daily.
- [ ] **NEXT:** Roll remaining 24 Samsung A15 phones (factory reset each, enroll via QR from `CSC - Android Shared Phones` profile, verify caregiver sign-in via MSDM)
- [ ] Rotate MDMS@ password (post-rollout hygiene, task #8)
- [ ] iPads are on a generic Apple ID currently — bringing them into Intune is low-priority; ABM + DEM deferred until after phones are live
- [ ] **DEFERRED:** 2-hour inactivity auto-logout — not achievable via MSDM app config (no inactivity knob). Real options: Conditional Access sign-in frequency (Mike's call — tenant-wide sensitivity) or rely on 1-min screen lock + explicit caregiver sign-out. Current posture accepted.
---
## Recent Changes
| Date | By | Change | Status |
|------|-----|--------|--------|
| 2026-04-28 | Howard | AD-side pilot prep on CS-SERVER: `howard.enos` password reset to memorable value + `proxyAddresses=SMTP:howard.enos@cascadestucson.com` added (matches G1 convention). PHS will sync this password to M365 once staging exits. | DONE |
| 2026-04-28 | Howard/Claude | Discovered Tenant Admin SP has zero directory role assignments in Cascades → blocks all CA Graph endpoints despite scope being on token. Decision pending: Graph-side role assignment vs portal click. Follow-up: patch `onboard-tenant.sh` to assign Conditional Access Admin at onboard time (mirror of `16f95e8` Exchange Op fix). | BLOCKED |
| 2026-04-25 | Howard | Entra Connect Sync installed in staging mode on CS-SERVER (PHS + Seamless SSO, scope `OU=Caregivers`). Pilot AD account `howard.enos@cascadestucson.com` created in Caregivers OU + SG-Caregivers. `admin@` re-promoted to Global Administrator after Sandra Fish residue cleanup. 7 deleted mailboxes restored from soft-delete (HIPAA retention remediation). Existing Cascades CA architecture discovered (Named Location `72.211.21.217/32`, all-users MFA policy from 2026-02-11). | IN PROGRESS |
| 2026-04-21 | Howard | Post-DMARC spoofing recheck — Mike's `p=quarantine` fix confirmed working (26h clean window). Purged 2 missed phishes (`accounting@` Inbox + `jd.martin` Deleted Items) via Graph permanentDelete. IP blocks skipped (DMARC covering). | DONE |
| 2026-04-21 | Mike | DMARC policy published as `p=quarantine; pct=100` (was `p=none`). Enforcement propagated sometime after 18:28Z on 4/20. | DEPLOYED |
| 2026-04-20 | Howard | Intune MDM rollout - service account MDMS@ + Google Play bind + Apple push cert + Entra group + Android enrollment profile (QR code) all live. Phone policies next session. | IN PROGRESS |
| 2026-04-17 | Howard | Folder redirection validated on DESKTOP-DLTAGOI (Sharon Edwards); GPO `CSC - Folder Redirection (LE)` active | DEPLOYED |
---
## How to Update
**When starting:** Add your session to Active Session Locks.
**When finishing:** Remove your lock row, add entries to Recent Changes, update Current State if needed.